January 27, 2022

U.S. Retrieves Millions in Ransom Paid to Colonial Pipeline Hackers

WASHINGTON—U.S. authorities have recovered millions of dollars in digital currency paid to the hackers who hit a major East Coast fuel pipeline with a ransomware attack last month, in a law-enforcement operation that officials said demonstrated progress undermining criminals’ ability to disrupt American commerce and critical infrastructure for profit.

Investigators seized about 64 bitcoin, valued at roughly $2.3 million, from a virtual wallet—the alleged proceeds from the ransom hack carried out by a suspected Russian-based criminal gang on Colonial Pipeline Co., the Justice Department said.

“The extortionists will never see this money,”

Stephanie Hinds,

acting U.S. attorney for the Northern District of California, where the seizure warrant was obtained, told reporters. “This case demonstrates our resolve to develop methods to prevent evildoers from converting new methods of payment into tools and extortion for undeserved profits.”

Senior Biden administration officials have in recent weeks characterized ransomware, in which criminals take an organization’s data or computer system hostage for ransom, as an urgent national-security threat. In just the past month ransomware attackers linked to Russia have threatened the nation’s fuel and meat supply, and poorly defended school systems, hospitals and local governments have suffered increasingly frequent ransomware attacks.

Ransomware has also become a diplomatic issue for the U.S., because the perpetrators of the attacks often appear to reside in countries unwilling to extradite them to the U.S., like Russia or North Korea.

President Biden

and other officials have said there is no evidence the Russian government was involved in the Colonial attack, but have condemned Russian President

Vladimir Putin

for allowing criminal hackers to target the U.S. freely. Mr. Biden intends to discuss the matter with Mr. Putin at their summit in Geneva on June 16.

A cyberattack on the U.S.’s largest fuel pipeline on May 7 forced a shutdown that triggered a spike in gas prices and shortages in parts of the Southeast. WSJ explains just how vulnerable the nation’s critical energy infrastructure is to attack. Photo illustration: Liz Ornitz/WSJ

“One of the things that President Biden will make clear to President Putin when he sees him is that states cannot be in the business of harboring those who are engaged in these kinds of attacks,” Secretary of State

Antony Blinken

said Monday in congressional testimony.

Mr. Putin has broadly denied Western accusations about cyberattacks originating in Russia and said on Russian state television last week that it was absurd to suggest any Russian involvement in recent ransomware attacks

Last month Colonial Pipeline, which transports gasoline, diesel, jet fuel and other refined products from the Gulf Coast to Linden, N.J., was shut down for six days as the company responded to the ransomware attack on its business systems. The company voluntarily took the pipeline offline due to concerns the hack would spread, and the stoppage spurred a run on gasoline along parts of the East Coast that pushed prices to the highest levels in more than six years and left thousands of gas stations without fuel.

The FBI officially discourages victims from paying ransoms because doing so can fuel a booming criminal marketplace and often won’t actually result in the restoration of the frozen computer systems. But the pipeline company’s Chief Executive Officer

Joseph Blount

told The Wall Street Journal the company paid $4.4 million to the hackers because executives were unsure how badly the cyberattack had breached its systems or how long it would take to bring the pipeline back online.

The ransom amounted to 75 bitcoin, a person familiar with the payment said, of which 64 was recovered. Because the cryptocurrency fluctuates dramatically in value, the dollar value recovered was only a little more than half the dollar value of the ransom payment.

In a statement Monday, Mr. Blount said Colonial plans to keep sharing “intelligence and learnings” with federal agencies, and that its goal was to help other critical infrastructure companies harden their cyber defenses and collaborate across industries to thwart attacks.

“Holding cyber criminals accountable and disrupting the ecosystem that allows them to operate is the best way to deter and defend against future attacks of this nature,” Mr. Blount said.

Mr. Blount is scheduled to testify at the Senate about the hack and pipeline outage on Tuesday and again before a House committee on Wednesday.

On Monday investigators obtained a seizure warrant from a magistrate judge in northern California that enabled authorities working with Colonial Pipeline to capture the bitcoin from the virtual wallet linked to the hacking group.

The FBI had tracked Colonial’s ransom payment across several bitcoin addresses in May, court documents show.

Law-enforcement officials often work with private-sector analysts who can track cryptocurrency transactions across public ledgers known as blockchains. By mapping clusters of virtual wallets and cross-referencing their transactions with intelligence about hacks, analysts say, they are able to reliably trace many ransom payments.

Upon receiving payouts from victims such as Colonial, hackers often switch funds among several wallets to cover their tracks or pay affiliates, as well as convert ransoms to different cryptocurrencies or hard money at exchanges. Law-enforcement officials can step in with search warrants and seize funds from the exchanges, analysts say.

“Because bitcoin transactions are available on a publicly distributed ledger, in many cases law enforcement can trace bitcoin payments and track stolen funds,” said Sujit Raman, a former senior Justice Department official. “When cybercriminals use bitcoin, that can sometimes be more traceable than just using cash or fiat currency.”

U.S. law enforcement have previously seized ransomware proceeds and other cryptocurrency sums, including more than $1 million tied to a Palestinian militant group last year. Officials Monday indicated they intended to more frequently seek to recover funds paid to ransomware operators to disincentivize the activity.

Fuel tanks at a Colonial Pipeline station in Washington.



Photo:

Drew Angerer/Getty Images

Administration officials and some lawmakers have in recent weeks called for consideration of tighter regulations of digital currencies, noting they have enabled ransomware groups and other criminals to extort victims.

The FBI has previously blamed the Colonial Pipeline attack on DarkSide, a prolific ransomware group that U.S. officials say is based in Russia and that security researchers say has made tens of millions over the past year, often by sharing its malware with affiliate criminals and then splitting proceeds. Tom Robinson, co-founder of blockchain analytics firm Elliptic, which tracked the Colonial-to-DarkSide transaction, said the amount seized appears to represent DarkSide affiliates’ share of the stash.

Investigators have identified over 90 victims of DarkSide ransomware across several critical infrastructure sectors, including manufacturing, legal, insurance, healthcare and energy, FBI Deputy Director Paul Abbate said Monday.

DarkSide told associates last month that it was shutting down in the wake of the pipeline hack, citing pressure from U.S. law enforcement. Security researchers, however, said it is not uncommon for ransomware groups such as DarkSide to disband, only to pop up later under a different name.

Colonial Pipeline Shutdown

Write to Dustin Volz at dustin.volz@wsj.com, Sadie Gurman at sadie.gurman@wsj.com and David Uberti at david.uberti@wsj.com

Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8

in Tech
Related Posts

Didi Stock Rises on First Day, Notching Market Value Near $80 Billion

June 30, 2021

June 30, 2021

Didi Global Inc.’s stock jumped on the first day of trading after its IPO, as investors gobbled up shares of...

Irish Healthcare System Struggles With Tech Disruptions After May Ransomware Attack

June 18, 2021

June 18, 2021

Ireland’s healthcare service is still slowly restoring its technology systems five weeks after suffering a ransomware attack, highlighting the painful...

Roku Plans to Develop More Than 50 Original Shows in Next Two Years

November 19, 2021

November 19, 2021

Roku Inc., the nation’s biggest pathway to streaming services, wants to become an entertainment force in its own right. The...

Google Strikes Deal With Hospital Chain to Develop Healthcare Algorithms

May 26, 2021

May 26, 2021

Alphabet Inc.’s GOOG 0.65% Google and national hospital chain HCA Healthcare Inc. HCA 1.19% have struck a deal to develop...

Lobbyists for Silicon Valley Giants Like Facebook Find Glory Days Are Over

June 17, 2021

June 17, 2021

WASHINGTON—President Biden’s decision to name the progressive antitrust crusader Lina Khan to lead the Federal Trade Commission is a stark...

Trump Justice Department Sought Democratic Lawmakers’ Records From Apple

June 11, 2021

June 11, 2021

WASHINGTON—The Justice Department during the Trump administration sought records from Apple Inc. relating to communications by House Intelligence Committee members...

Tesla Shareholder Panasonic Sells Stake for $3.6 Billion

June 25, 2021

June 25, 2021

TOKYO— Tesla Inc.’s TSLA 1.09% leading battery supplier is no longer a Tesla shareholder. Panasonic Corp. PCRFY 2.20% said Friday...

U.S. Mandates Body Cameras for Federal Law-Enforcement Officers

June 8, 2021

June 8, 2021

WASHINGTON—The Justice Department will require federal agents to wear body cameras when executing arrest warrants or searching buildings, Deputy Attorney...

Elon Musk’s Starlink Could Get Boost From German Subsidies

June 1, 2021

June 1, 2021

BERLIN—Germany could become the first large nation to subsidize the use of consumer satellite internet services such as that offered...

Nvidia Posts Record Earnings on Videogaming, Cryptocurrency Demand

May 26, 2021

May 26, 2021

Nvidia Corp. NVDA 0.33% reported a record quarterly revenue and profit, propelled by demand for videogaming and cryptocurrency and despite...

Geico to Use Artificial Intelligence to Speed Up Car Repairs

May 25, 2021

May 25, 2021

Geico, the nation’s second-biggest auto insurer, will try to speed up vehicle repairs for its policyholders by running photographs of...

Companies Struggle to Keep Their Tech Workers From Logging Off

June 18, 2021

June 18, 2021

Many information-technology workers in the U.S. are on the hunt for new jobs, seeking a wider array of remote work...

Google Should Be Treated as Utility, Ohio Argues in New Lawsuit

June 8, 2021

June 8, 2021

Google’s critics have said for years that it should be treated like a public utility. On Tuesday, Ohio’s attorney general...

Stack Overflow Sold to Tech Giant Prosus for $1.8 Billion

June 2, 2021

June 2, 2021

Prosus PRX 0.54% NV said it struck a $1.8 billion deal to acquire Stack Overflow, an online community for software...

The Ruthless Hackers Behind Ransomware Attacks on U.S. Hospitals: ‘They Do Not Care’

June 10, 2021

June 10, 2021

A ransomware attack on a national hospital chain nearly brought Las Vegas hospitals to their knees. Another attack in Oregon...